Cryptography

PDF generated using the open source mwlib toolkit. See http://code.pediapress.com/ for more information. PDF generated at: Tue, 07 Aug 2012 04:04:28 UTC

ContentsArticlesOverviewCryptography Cryptanalysis History of cryptography 1 1 15 24 33 33 38 45 49 56 68 68 69 79 87 87 93 103 111 123 132 135 135 145 152 158 160 160 169

Classical cryptographyCaesar cipher Substitution cipher Transposition cipher Vigenre cipher One-time pad

Modern cryptographySymmetric-key algorithm Public-key cryptography Cryptographic hash function

Major symmetric key algorithmsStream cipher Block cipher RC4 Data Encryption Standard Advanced Encryption Standard Feistel cipher

Major public key systemsRSA DiffieHellman key exchange Elliptic curve cryptography NSA Suite B Cryptography

Cryptographic hash functionsMD5 SHA-1

SHA-2 SHA-3 Message authentication code

178 185 190 193 193 194 197 201 205 209 209 213 241 245 248 251 254 260 260 277 285 288 295 319 319 324 343 347 350 353 356 362 362 366

Key managementCryptographic key Key management Key size Public key infrastructure Web of trust

CryptanalysisFrequency analysis Cryptanalysis of the Enigma Man-in-the-middle attack Differential cryptanalysis Side channel attack Random number generator attack Rainbow table

Applications of cryptographyTransport Layer Security Pretty Good Privacy GNU Privacy Guard Digital signature Digital rights management

Cipher machinesJefferson disk Enigma machine The "Purple" cryptographic machine SIGABA KL-7 Fialka NSA encryption systems

Voice encryptionSIGSALY STU-III

Secure Terminal Equipment Secure Communications Interoperability Protocol

369 370

ReferencesArticle Sources and Contributors Image Sources, Licenses and Contributors 373 380

Article LicensesLicense 383

1

OverviewCryptographyCryptography (or cryptology; from Greek , "hidden, secret"; and , graphein, "writing", or -, -logia, "study", respectively)[1] is the practice and study of techniques for secure communication in the presence of third parties (called adversaries).[2] More generally, it is about constructing and analyzing protocols that overcome the influence of adversaries[3] and which are related to various aspects in information security such as data confidentiality, data integrity, and authentication.[4] Modern cryptography intersects the disciplines of mathematics, computer science, and electrical engineering. Applications of cryptography include ATM cards, computer passwords, and electronic commerce.

Symmetric-key cryptography, where the same key is used both for encryption and decryption

Cryptography prior to the modern age was effectively synonymous with encryption, the conversion of information from a readable state to apparent nonsense. The originator of an encrypted message shared the decoding technique needed to recover the original German Lorenz cipher machine, used in World information only with intended recipients, WarII to encrypt very-high-level general staff thereby precluding unwanted persons to do messages the same. Since World WarI and the advent of the computer, the methods used to carry out cryptology have become increasingly complex and its application more widespread. Modern cryptography is heavily based on mathematical theory and computer science practice; cryptographic algorithms are designed around computational hardness assumptions, making such algorithms hard to break in practice by any adversary. It is theoretically possible to break such a system but it is infeasible to do so by any known practical means. These schemes are therefore termed computationally secure; theoretical advances (e.g., improvements in integer factorization algorithms) and faster computing technology require these solutions to be continually adapted. There exist information-theoretically secure schemes that provably cannot be broken even with unlimited computing poweran example is the one-time padbut these schemes are more difficult to implement than the best theoretically breakable but computationally secure mechanisms.

Cryptography Cryptology-related technology has raised a number of legal issues. In the United Kingdom, additions to the Regulation of Investigatory Powers Act 2000 require a suspected criminal to hand over their encryption key if asked by law enforcement. Otherwise the user will face a criminal charge.[5] The Electronic Frontier Foundation (EFF) is involved in a case in the Supreme Court of the United States, which may determine whether requiring suspected criminals to provide their encryption keys to law enforcement is unconstitutional. The EFF is arguing that this is a violation of the right of not being forced to incriminate oneself, as given in the fifth amendment.[6]

2

TerminologyUntil modern times cryptography referred almost exclusively to encryption, which is the process of converting ordinary information (called plaintext) into unintelligible gibberish (called ciphertext).[7] Decryption is the reverse, in other words, moving from the unintelligible ciphertext back to plaintext. A cipher (or cypher) is a pair of algorithms that create the encryption and the reversing decryption. The detailed operation of a cipher is controlled both by the algorithm and in each instance by a "key". This is a secret parameter (ideally known only to the communicants) for a specific message exchange context. A "cryptosystem" is the ordered list of elements of finite possible plaintexts, finite possible cyphertexts, finite possible keys, and the encryption and decryption algorithms which correspond to each key. Keys are important, as ciphers without variable keys can be trivially broken with only the knowledge of the cipher used and are therefore useless (or even counter-productive) for most purposes. Historically, ciphers were often used directly for encryption or decryption without additional procedures such as authentication or integrity checks. In colloquial use, the term "code" is often used to mean any method of encryption or concealment of meaning. However, in cryptography, code has a more specific meaning. It means the replacement of a unit of plaintext (i.e., a meaningful word or phrase) with a code word (for example, wallaby replaces attack at dawn). Codes are no longer used in serious cryptographyexcept incidentally for such things as unit designations (e.g., Bronco Flight or Operation Overlord)since properly chosen ciphers are both more practical and more secure than even the best codes and also are better adapted to computers. Cryptanalysis is the term used for the study of methods for obtaining the meaning of encrypted information without access to the key normally required to do so; i.e., it is the study of how to crack encryption algorithms or their implementations. Some use the terms cryptography and cryptology interchangeably in English, while others (including US military practice generally) use cryptography to refer specifically to the use and practice of cryptographic techniques and cryptology to refer to the combined study of cryptography and cryptanalysis.[8][9] English is more flexible than several other languages in which cryptology (done by cryptologists) is always used in the second sense above. In the English Wikipedia the general term used for the entire field is cryptography (done by cryptographers). The study of characteristics of languages which have some application in cryptography (or cryptology), i.e. frequency data, letter combinations, universal patterns, etc., is called cryptolinguistics.

History of cryptography and cryptanalysisBefore the modern era, cryptography was concerned solely with message confidentiality (i.e., encryption)conversion of messages from a comprehensible form into an incomprehensible one and back again at the other end, rendering it unreadable by interceptors or eavesdroppers without secret knowledge (namely the key needed for decryption of that message). Encryption was used to (attempt to) ensure secrecy in communications, such as those of spies, military leaders, and diplomats. In recent decades, the field has expanded beyond confidentiality concerns to include techniques for message integrity checking, sender/receiver identity authentication, digital signatures, interactive proofs and secure computation, among others.

Cryptography

3

Classic cryptographyThe earliest forms of secret writing required little more than local pen and paper analogs, as most people could not read. More literacy, or literate opponents, required actual cryptography. The main classical cipher types are transposition ciphers, which rearrange the order of letters in a message (e.g., 'hello world' becomes 'ehlol owrdl' in a trivially simple rearrangement scheme), and substitution ciphers, which systematically replace letters or groups of letters with other letters or groups of letters (e.g., 'fly at once' becomes 'gmz bu podf' by replacing each letter with the one following it in the Latin alphabet). Simple Reconstructed ancient Greek scytale (rhymes versions of either have never offered much confidentiality from with "Italy"), an early cipher device enterprising opponents. An early substitution cipher was the Caesar cipher, in which each letter in the plaintext was replaced by a letter some fixed number of positions further down the alphabet. Suetonius reports that Julius Caesar used it with a shift of three to communicate with his generals. Atbash is an example of an early Hebrew cipher. The earliest known use of cryptography is some carved ciphertext on stone in Egypt (ca 1900 BCE), but this may have been done for the amusement of literate observers rather than as a way of concealing information. Cryptography is recommended in the Kama Sutra (ca 400 BCE) as a way for lovers to communicate without inconvenient discovery.[10] The Greeks of Classical times are said to have known of ciphers (e.g., the scytale transposition cipher claimed to have been used by the Spartan military).[11] Steganography (i.e., hiding even the existence of a message so as to keep it confidential) was also first developed in ancient times. An early example, from Herodotus, concealed a messagea tattoo on a slave's shaved headunder the regrown hair.[7] Another Greek method was developed by Polybius (now called the "Polybius Square").[12] More modern examples of steganography include the use of invisible ink, microdots, and digital watermarks to conceal information. Ciphertexts produced by a classical cipher (and some modern ciphers) always reveal statistical information about the plaintext, which can often be used to break them. After the discovery of frequency analysis perhaps by the Arab mathematician and polymath, Al-Kindi (also known as Alkindus), in the 9th century, nearly all such ciphers became more or less readily breakable by any informed attacker. Such classical ciphers still enjoy popularity today, though mostly as puzzles (see cryptogram). Al-Kindi wrote a book on cryptography entitled Risalah fi Istikhraj al-Mu'amma (Manuscript for the Deciphering Cryptographic Messages), in which described the first cryptanalysis techniques.[13][14] Essentially all ciphers remained vulnerable to cryptanalysis using the frequency analysis technique until the development of the polyalphabetic cipher, most clearly by Leon Battista Alberti around the year 1467, though there is some indication that it was already known to Al-Kindi.[14] Alberti's innovation was to use different ciphers (i.e., substitution alphabets) for various parts of a message (perhaps for each successive plaintext letter at the limit). He also invented what was probably the first automatic cipher device, a wheel which implemented 16th-century book-shaped French cipher a partial realization of his invention. In the polyalphabetic Vigenre machine, with arms of Henri II of France cipher, encryption uses a key word, which controls letter substitution depending on which letter of the key word is used. In the mid-19th century Charles Babbage showed that the Vigenre cipher was vulnerable to Kasiski examination, but this was first published about ten years later by Friedrich Kasiski.[15]

Cryptography

4

Although frequency analysis is a powerful and general technique against many ciphers, encryption has still been often effective in practice; many a would-be cryptanalyst was unaware of the technique. Breaking a message without using frequency analysis essentially required knowledge of the cipher used and perhaps of the key involved, thus making espionage, bribery, burglary, defection, etc., more attractive approaches to the cryptanalytically uninformed. It was finally explicitly recognized in the 19th century that secrecy of a Enciphered letter from Gabriel de Luetz cipher's algorithm is not a sensible nor practical safeguard of message d'Aramon, French Ambassador to the Ottoman security; in fact, it was further realized that any adequate cryptographic Empire, after 1546, with partial decipherment scheme (including ciphers) should remain secure even if the adversary fully understands the cipher algorithm itself. Security of the key used should alone be sufficient for a good cipher to maintain confidentiality under an attack. This fundamental principle was first explicitly stated in 1883 by Auguste Kerckhoffs and is generally called Kerckhoffs's Principle; alternatively and more bluntly, it was restated by Claude Shannon, the inventor of information theory and the fundamentals of theoretical cryptography, as Shannon's Maxim'the enemy knows the system'. Different physical devices and aids have been used to assist with ciphers. One of the earliest may have been the scytale of ancient Greece, a rod supposedly used by the Spartans as an aid for a transposition cipher (see image above). In medieval times, other aids were invented such as the cipher grille, which was also used for a kind of steganography. With the invention of polyalphabetic ciphers came more sophisticated aids such as Alberti's own cipher disk, Johannes Trithemius' tabula recta scheme, and Thomas Jefferson's multi-cylinder (not publicly known, and reinvented independently by Bazeries around 1900). Many mechanical encryption/decryption devices were invented early in the 20th century, and several patented, among them rotor machinesfamously including the Enigma machine used by the German government and military from the late '20s and during World War II.[16] The ciphers implemented by better quality examples of these machine designs brought about a substantial increase in cryptanalytic difficulty after WWI.[17]

Computer eraCryptanalysis of the new mechanical devices proved to be both difficult and laborious. In Great Britain, cryptanalytic efforts at Bletchley Park during WWII spurred the development of more efficient means for carrying out repetitious tasks. This culminated in the development of the Colossus, the world's first fully electronic, digital, programmable computer, which assisted in the decryption of ciphers generated by the German Army's Lorenz SZ40/42 machine. Just as the development of digital computers and electronics helped in cryptanalysis, it made possible much more complex ciphers. Furthermore, computers allowed for the encryption of any kind of data representable in any binary format, unlike classical ciphers which only encrypted written language texts; this was new and significant. Computer use has thus supplanted linguistic cryptography, both for cipher design and cryptanalysis. Many computer ciphers can be characterized by their operation on binary bit sequences (sometimes in groups or blocks), unlike classical and mechanical schemes, which generally manipulate traditional characters (i.e., letters and digits) directly. However, computers have also assisted cryptanalysis, which has compensated to some extent for increased cipher complexity. Nonetheless, good modern ciphers have stayed ahead of cryptanalysis; it is typically the case that use of a quality cipher is very efficient (i.e., fast and requiring few resources, such as memory or CPU capability), while breaking it requires an effort many orders of magnitude larger, and vastly larger than that required for any classical cipher, making cryptanalysis so inefficient and impractical as to be effectively impossible.

Cryptography

5

Extensive open academic research into cryptography is relatively recent; it began only in the mid-1970s. In recent times, IBM personnel designed the algorithm that became the Federal (i.e., US) Data Encryption Standard; Whitfield Diffie and Martin Hellman published their key agreement algorithm,;[18] and the RSA algorithm was published in Martin Gardner's Scientific American column. Since then, cryptography has become a widely used tool in communications, computer networks, and computer security generally. Some modern cryptographic techniques can only keep their keys secret if certain mathematical problems are intractable, such as the integer factorization Credit card with smart-card capabilities. The 3-by-5-mm chip embedded in the card is shown, or the discrete logarithm problems, so there are deep connections with enlarged. Smart cards combine low cost and abstract mathematics. There are no absolute proofs that a cryptographic portability with the power to compute technique is secure (but see one-time pad); at best, there are proofs that cryptographic algorithms. some techniques are secure if some computational problem is difficult to solve, or this or that assumption about implementation or practical use is met. As well as being aware of cryptographic history, cryptographic algorithm and system designers must also sensibly consider probable future developments while working on their designs. For instance, continuous improvements in computer processing power have increased the scope of brute-force attacks, thus when specifying key lengths, the required key lengths are similarly advancing.[19] The potential effects of quantum computing are already being considered by some cryptographic system designers; the announced imminence of small implementations of these machines may be making the need for this preemptive caution rather more than merely speculative.[4] Essentially, prior to the early 20th century, cryptography was chiefly concerned with linguistic and lexicographic patterns. Since then the emphasis has shifted, and cryptography now makes extensive use of mathematics, including aspects of information theory, computational complexity, statistics, combinatorics, abstract algebra, number theory, and finite mathematics generally. Cryptography is, also, a branch of engineering, but an unusual one as it deals with active, intelligent, and malevolent opposition (see cryptographic engineering and security engineering); other kinds of engineering (e.g., civil or chemical engineering) need deal only with neutral natural forces. There is also active research examining the relationship between cryptographic problems and quantum physics (see quantum cryptography and quantum computer).

Modern cryptographyThe modern field of cryptography can be divided into several areas of study. The chief ones are discussed here; see Topics in Cryptography for more.

Symmetric-key cryptographySymmetric-key cryptography refers to encryption methods in which both the sender and receiver share the same key (or, less commonly, in which their keys are different, but related in an easily computable way). This was the only kind of encryption publicly known until June 1976.[18]

Cryptography

6

Symmetric key ciphers are implemented as either block ciphers or stream ciphers. A block cipher enciphers input in blocks of plaintext as opposed to individual characters, the input form used by a stream cipher. The Data Encryption Standard (DES) and the Advanced Encryption Standard (AES) are block cipher designs which have been designated cryptography standards by the US government (though DES's designation was finally withdrawn after the AES was adopted).[20] Despite its deprecation as an official standard, DES (especially its still-approved and much more secure triple-DES variant) remains quite popular; it is used across a wide range of applications, from ATM encryption[21] to e-mail privacy[22] and secure remote access.[23] Many other block ciphers have been designed and released, with considerable variation in quality. Many have been thoroughly broken, such as FEAL.[4][24]

One round (out of 8.5) of the patented IDEA cipher, used in some versions of PGP for high-speed encryption of, for instance, e-mail

Stream ciphers, in contrast to the 'block' type, create an arbitrarily long stream of key material, which is combined with the plaintext bit-by-bit or character-by-character, somewhat like the one-time pad. In a stream cipher, the output stream is created based on a hidden internal state which changes as the cipher operates. That internal state is initially set up using the secret key material. RC4 is a widely used stream cipher; see Category:Stream ciphers.[4] Block ciphers can be used as stream ciphers; see Block cipher modes of operation. Cryptographic hash functions are a third type of cryptographic algorithm. They take a message of any length as input, and output a short, fixed length hash which can be used in (for example) a digital signature. For good hash functions, an attacker cannot find two messages that produce the same hash. MD4 is a long-used hash function which is now broken; MD5, a strengthened variant of MD4, is also widely used but broken in practice. The U.S. National Security Agency developed the Secure Hash Algorithm series of MD5-like hash functions: SHA-0 was a flawed algorithm that the agency withdrew; SHA-1 is widely deployed and more secure than MD5, but cryptanalysts have identified attacks against it; the SHA-2 family improves on SHA-1, but it isn't yet widely deployed, and the U.S. standards authority thought it "prudent" from a security perspective to develop a new standard to "significantly improve the robustness of NIST's overall hash algorithm toolkit."[25] Thus, a hash function design competition is underway and meant to select a new U.S. national standard, to be called SHA-3, by 2012. Message authentication codes (MACs) are much like cryptographic hash functions, except that a secret key can be used to authenticate the hash value[4] upon receipt.

Public-key cryptographySymmetric-key cryptosystems use the same key for encryption and decryption of a message, though a message or group of messages may have a different key than others. A significant disadvantage of symmetric ciphers is the key management necessary to use them securely. Each distinct pair of communicating parties must, ideally, share a different key, and perhaps each ciphertext exchanged as well. The number of keys required increases as the square of the number of network members, which very quickly requires complex key management schemes to keep them all straight and secret. The difficulty of securely establishing a secret key between two communicating parties, when a secure channel does not already exist between them, also presents a chicken-and-egg problem which is a considerable practical obstacle for cryptography users in the real world.

Cryptography

7 In a groundbreaking 1976 paper, Whitfield Diffie and Martin Hellman proposed the notion of public-key (also, more generally, called asymmetric key) cryptography in which two different but mathematically related keys are useda public key and a private key.[26] A public key system is so constructed that calculation of one key (the 'private key') is computationally infeasible from the other (the 'public key'), even though they are necessarily related. Instead, both keys are generated secretly, as an interrelated pair.[27] The historian David Kahn described public-key cryptography as "the most revolutionary new concept in the field since polyalphabetic substitution emerged in the Renaissance".[28]

Whitfield Diffie and Martin Hellman, authors of the first published paper on public-key cryptography

In public-key cryptosystems, the public key may be freely distributed, while its paired private key must remain secret. In a public-key encryption system, the public key is used for encryption, while the private or secret key is used for decryption. While Diffie and Hellman could not find such a system, they showed that public-key cryptography was indeed possible by presenting the DiffieHellman key exchange protocol, a solution that is now widely used in secure communications to allow two parties to secretly agree on a shared encryption key.[18] Diffie and Hellman's publication sparked widespread academic efforts in finding a practical public-key encryption system. This race was finally won in 1978 by Ronald Rivest, Adi Shamir, and Len Adleman, whose solution has since become known as the RSA algorithm.[29] The DiffieHellman and RSA algorithms, in addition to being the first publicly known examples of high quality public-key algorithms, have been among the most widely used. Others include the CramerShoup cryptosystem, ElGamal encryption, and various elliptic curve techniques. See Category:Asymmetric-key cryptosystems. To much surprise, a document published in 1997 by the Government Communications Headquarters (GCHQ), a British intelligence organization, revealed that cryptographers at GCHQ had anticipated several academic developments.[30] Reportedly, around 1970, James H. Ellis had conceived the principles of asymmetric key cryptography. In 1973, Clifford Cocks invented a solution that essentially resembles the RSA algorithm.[30][31] And in 1974, Malcolm J. Williamson is claimed to have developed the Diffie-Hellman key exchange.[32] Public-key cryptography can also be used for implementing digital signature schemes. A digital signature is reminiscent of an ordinary signature; they both have the characteristic of being easy for a user to Padlock icon from the Firefox Web browser, produce, but difficult for anyone else to forge. Digital signatures can meant to indicate a page has been sent in SSL also be permanently tied to the content of the message being signed; or TLS-encrypted protected form. However, seeing an icon results when code is intended to they cannot then be 'moved' from one document to another, for any render it. Malicious code can provide the icon attempt will be detectable. In digital signature schemes, there are two even when the connection is not actually being algorithms: one for signing, in which a secret key is used to process the protected by SSL or TLS. message (or a hash of the message, or both), and one for verification, in which the matching public key is used with the message to check the validity of the signature. RSA and DSA are two of the most popular digital signature schemes. Digital signatures are central to the operation of public key infrastructures and many network security schemes (e.g., SSL/TLS, many VPNs, etc.).[24] Public-key algorithms are most often based on the computational complexity of "hard" problems, often from number theory. For example, the hardness of RSA is related to the integer factorization problem, while DiffieHellman and DSA are related to the discrete logarithm problem. More recently, elliptic curve cryptography has developed in which security is based on number theoretic problems involving elliptic curves. Because of the difficulty of the underlying problems, most public-key algorithms involve operations such as modular multiplication and exponentiation, which are much more computationally expensive than the techniques used in most block ciphers,

Cryptography especially with typical key sizes. As a result, public-key cryptosystems are commonly hybrid cryptosystems, in which a fast high-quality symmetric-key encryption algorithm is used for the message itself, while the relevant symmetric key is sent with the message, but encrypted using a public-key algorithm. Similarly, hybrid signature schemes are often used, in which a cryptographic hash function is computed, and only the resulting hash is digitally signed.[4]

8

CryptanalysisThe goal of cryptanalysis is to find some weakness or insecurity in a cryptographic scheme, thus permitting its subversion or evasion. It is a common misconception that every encryption method can be broken. In connection with his WWII work at Bell Labs, Claude Shannon proved that the one-time pad cipher is unbreakable, provided the key material is truly random, never reused, kept secret from all possible attackers, and of equal or greater length than the message.[33] Most ciphers, apart from the one-time pad, can be broken with enough computational effort by brute force attack, but the amount of effort needed may be exponentially dependent on the key size, as compared to the effort needed to make use of the cipher. In such cases, effective security could be achieved if it is proven that the effort required (i.e., "work factor", in Shannon's terms) is beyond the ability of any adversary. This means it must be shown that no efficient method (as opposed to the time-consuming brute force method) can be found to break the cipher. Since no such proof has been found to date, the one-time-pad remains the only theoretically unbreakable cipher.

There are a wide variety of cryptanalytic attacks, and they can be classified in any of several ways. A common distinction turns on what an attacker knows and what capabilities are available. In a ciphertext-only attack, the cryptanalyst has access only to the ciphertext (good modern cryptosystems are usually effectively immune to ciphertext-only attacks). In a known-plaintext attack, the cryptanalyst has access to a ciphertext and its corresponding plaintext (or to many such pairs). In a chosen-plaintext attack, the cryptanalyst may choose a plaintext and learn its corresponding ciphertext (perhaps many times); an example is gardening, used by the British during WWII. Finally, in a chosen-ciphertext attack, the cryptanalyst may be able to choose ciphertexts and learn their corresponding plaintexts.[4] Also important, often overwhelmingly so, are mistakes (generally in the design or use of one of the protocols involved; see Cryptanalysis of the Enigma for some historical examples of this).

Variants of the Enigma machine, used by Germany's military and civil authorities from the late 1920s through World War II, implemented a complex electro-mechanical polyalphabetic cipher. Breaking and reading of the Enigma cipher at Poland's Cipher Bureau, for 7 years before the war, and subsequent decryption at Bletchley Park, was important to Allied [7] victory.

Cryptography

9

Cryptanalysis of symmetric-key ciphers typically involves looking for attacks against the block ciphers or stream ciphers that are more efficient than any attack that could be against a perfect cipher. For example, a simple brute force attack against DES requires one known plaintext and 255 decryptions, trying approximately half of the possible keys, to reach a point at which chances are better than even that the key sought will have been found. But this may not be enough assurance; a linear cryptanalysis attack against DES requires 243 known plaintexts and approximately 243 DES operations.[34] This is a considerable improvement on brute force attacks.

Public-key algorithms are based on the computational difficulty of various problems. The most famous of these is integer factorization (e.g., the RSA algorithm is based on a problem related to integer factoring), but the discrete logarithm problem is also important. Much public-key cryptanalysis concerns numerical algorithms for solving these computational problems, or some of them, efficiently (i.e., in a practical time). For instance, the best known algorithms for solving the elliptic curve-based version of discrete logarithm are much more time-consuming than the best known algorithms for factoring, at least for problems of more or less equivalent size. Thus, other things being equal, to achieve an equivalent strength of attack resistance, factoring-based encryption techniques must use larger keys than elliptic curve techniques. For this reason, public-key cryptosystems based on elliptic curves have become popular since their invention in the mid-1990s. While pure cryptanalysis uses weaknesses in the algorithms themselves, other attacks on cryptosystems are based on actual use of the algorithms in real devices, and are called side-channel attacks. If a cryptanalyst has access to, for example, the amount of time the device took to encrypt a number of plaintexts or report an error in a password or PIN character, he may be able to use a timing attack to break a cipher that is otherwise resistant to analysis. An attacker might also study the pattern and length of messages to derive valuable information; this is known as traffic analysis,[35] and can be quite useful to an alert adversary. Poor administration of a cryptosystem, such as permitting too short keys, will make any system vulnerable, regardless of other virtues. And, of course, social engineering, and other attacks against the personnel who work with cryptosystems or the messages they handle (e.g., bribery, extortion, blackmail, espionage, torture, ...) may be the most productive attacks of all.

Pozna monument (center) to Polish cryptologists whose breaking of Germany's Enigma machine ciphers, beginning in 1932, altered the course of World War II

Cryptographic primitivesMuch of the theoretical work in cryptography concerns cryptographic primitivesalgorithms with basic cryptographic propertiesand their relationship to other cryptographic problems. More complicated cryptographic tools are then built from these basic primitives. These primitives provide fundamental properties, which are used to develop more complex tools called cryptosystems or cryptographic protocols, which guarantee one or more high-level security properties. Note however, that the distinction between cryptographic primitives and cryptosystems, is quite arbitrary; for example, the RSA algorithm is sometimes considered a cryptosystem, and sometimes a primitive. Typical examples of cryptographic primitives include pseudorandom functions, one-way functions, etc.

Cryptography

10

CryptosystemsOne or more cryptographic primitives are often used to develop a more complex algorithm, called a cryptographic system, or cryptosystem. Cryptosystems (e.g. El-Gamal encryption) are designed to provide particular functionality (e.g. public key encryption) while guaranteeing certain security properties (e.g. chosen-plaintext attack (CPA) security in the random oracle model). Cryptosystems use the properties of the underlying cryptographic primitives to support the system's security properties. Of course, as the distinction between primitives and cryptosystems is somewhat arbitrary, a sophisticated cryptosystem can be derived from a combination of several more primitive cryptosystems. In many cases, the cryptosystem's structure involves back and forth communication among two or more parties in space (e.g., between the sender of a secure message and its receiver) or across time (e.g., cryptographically protected backup data). Such cryptosystems are sometimes called cryptographic protocols. Some widely known cryptosystems include RSA encryption, Schnorr signature, El-Gamal encryption, PGP, etc. More complex cryptosystems include electronic cash[36] systems, signcryption systems, etc. Some more 'theoretical' cryptosystems include interactive proof systems,[37] (like zero-knowledge proofs),[38] systems for secret sharing,[39][40] etc. Until recently, most security properties of most cryptosystems were demonstrated using empirical techniques, or using ad hoc reasoning. Recently, there has been considerable effort to develop formal techniques for establishing the security of cryptosystems; this has been generally called provable security. The general idea of provable security is to give arguments about the computational difficulty needed to compromise some security aspect of the cryptosystem (i.e., to any adversary). The study of how best to implement and integrate cryptography in software applications is itself a distinct field; see: Cryptographic engineering and Security engineering.

Legal issuesProhibitionsCryptography has long been of interest to intelligence gathering and law enforcement agencies. Secret communications may be criminal or even treasonous. Because of its facilitation of privacy, and the diminution of privacy attendant on its prohibition, cryptography is also of considerable interest to civil rights supporters. Accordingly, there has been a history of controversial legal issues surrounding cryptography, especially since the advent of inexpensive computers has made widespread access to high quality cryptography possible. In some countries, even the domestic use of cryptography is, or has been, restricted. Until 1999, France significantly restricted the use of cryptography domestically, though it has since relaxed many of these rules. In China, a license is still required to use cryptography. Many countries have tight restrictions on the use of cryptography. Among the more restrictive are laws in Belarus, Kazakhstan, Mongolia, Pakistan, Singapore, Tunisia, and Vietnam.[41] In the United States, cryptography is legal for domestic use, but there has been much conflict over legal issues related to cryptography. One particularly important issue has been the export of cryptography and cryptographic software and hardware. Probably because of the importance of cryptanalysis in World War II and an expectation that cryptography would continue to be important for national security, many Western governments have, at some point, strictly regulated export of cryptography. After World War II, it was illegal in the US to sell or distribute encryption technology overseas; in fact, encryption was designated as auxiliary military equipment and put on the United States Munitions List.[42] Until the development of the personal computer, asymmetric key algorithms (i.e., public key techniques), and the Internet, this was not especially problematic. However, as the Internet grew and computers became more widely available, high quality encryption techniques became well-known around the globe. As a result, export controls came to be seen to be an impediment to commerce and to research.

Cryptography

11

Export controlsIn the 1990s, there were several challenges to US export regulations of cryptography. One involved Philip Zimmermann's Pretty Good Privacy (PGP) encryption program; it was released in the US, together with its source code, and found its way onto the Internet in June 1991. After a complaint by RSA Security (then called RSA Data Security, Inc., or RSADSI), Zimmermann was criminally investigated by the Customs Service and the FBI for several years. No charges were ever filed, however.[43][44] Also, Daniel Bernstein, then a graduate student at UC Berkeley, brought a lawsuit against the US government challenging some aspects of the restrictions based on free speech grounds. The 1995 case Bernstein v. United States ultimately resulted in a 1999 decision that printed source code for cryptographic algorithms and systems was protected as free speech by the United States Constitution.[45] In 1996, thirty-nine countries signed the Wassenaar Arrangement, an arms control treaty that deals with the export of arms and "dual-use" technologies such as cryptography. The treaty stipulated that the use of cryptography with short key-lengths (56-bit for symmetric encryption, 512-bit for RSA) would no longer be export-controlled.[46] Cryptography exports from the US are now much less strictly regulated than in the past as a consequence of a major relaxation in 2000;[41] there are no longer very many restrictions on key sizes in US-exported mass-market software. In practice today, since the relaxation in US export restrictions, and because almost every personal computer connected to the Internet, everywhere in the world, includes US-sourced web browsers such as Firefox or Internet Explorer, almost every Internet user worldwide has access to quality cryptography (i.e., when using sufficiently long keys with properly operating and unsubverted software, etc.) in their browsers; examples are Transport Layer Security or SSL stack. The Mozilla Thunderbird and Microsoft Outlook E-mail client programs similarly can connect to IMAP or POP servers via TLS, and can send and receive email encrypted with S/MIME. Many Internet users don't realize that their basic application software contains such extensive cryptosystems. These browsers and email programs are so ubiquitous that even governments whose intent is to regulate civilian use of cryptography generally don't find it practical to do much to control distribution or use of cryptography of this quality, so even when such laws are in force, actual enforcement is often effectively impossible.

NSA involvementAnother contentious issue connected to cryptography in the United States is the influence of the National Security Agency on cipher development and policy. The NSA was involved with the design of DES during its development at IBM and its consideration by the National Bureau of Standards as a possible Federal Standard for cryptography.[47] DES was designed to be resistant to differential cryptanalysis,[48] a powerful and general cryptanalytic technique known to the NSA and IBM, that became publicly known only when it was rediscovered in the late 1980s.[49] According to Steven Levy, IBM rediscovered differential cryptanalysis,[50] but kept the technique secret at the NSA's request. The technique became publicly known only when Biham and Shamir re-rediscovered and announced it some years later. The entire affair illustrates the difficulty of determining what resources and knowledge an attacker might actually have. Another instance of the NSA's involvement was the 1993 Clipper chip affair, an encryption microchip intended to be part of the Capstone cryptography-control initiative. Clipper was widely criticized by cryptographers for two reasons. The cipher algorithm (called Skipjack) was then classified (declassified in 1998, long after the Clipper initiative lapsed). The classified cipher caused concerns that the NSA had deliberately made the cipher weak in order to assist its intelligence efforts. The whole initiative was also criticized based on its violation of Kerckhoffs's Principle, as the scheme included a special escrow key held by the government for use by law enforcement, for example in wiretaps.[44]

Cryptography

12

Digital rights managementCryptography is central to digital rights management (DRM), a group of techniques for technologically controlling use of copyrighted material, being widely implemented and deployed at the behest of some copyright holders. In 1998, American President Bill Clinton signed the Digital Millennium Copyright Act (DMCA), which criminalized all production, dissemination, and use of certain cryptanalytic techniques and technology (now known or later discovered); specifically, those that could be used to circumvent DRM technological schemes.[51] This had a noticeable impact on the cryptography research community since an argument can be made that any cryptanalytic research violated, or might violate, the DMCA. Similar statutes have since been enacted in several countries and regions, including the implementation in the EU Copyright Directive. Similar restrictions are called for by treaties signed by World Intellectual Property Organization member-states. The United States Department of Justice and FBI have not enforced the DMCA as rigorously as had been feared by some, but the law, nonetheless, remains a controversial one. Niels Ferguson, a well-respected cryptography researcher, has publicly stated[52] that he will not release some of his research into an Intel security design for fear of prosecution under the DMCA. Both Alan Cox (longtime number 2 in Linux kernel development) and Professor Edward Felten (and some of his students at Princeton) have encountered problems related to the Act. Dmitry Sklyarov was arrested during a visit to the US from Russia, and jailed for five months pending trial for alleged violations of the DMCA arising from work he had done in Russia, where the work was legal. In 2007, the cryptographic keys responsible for Blu-ray and HD DVD content scrambling were discovered and released onto the Internet. In both cases, the MPAA sent out numerous DMCA takedown notices, and there was a massive internet backlash[53] triggered by the perceived impact of such notices on fair use and free speech.

References[1] [2] [3] [4] Liddell and Scott's Greek-English Lexicon. Oxford University Press. (1984) Rivest, Ronald L. (1990). "Cryptology". In J. Van Leeuwen. Handbook of Theoretical Computer Science. 1. Elsevier. Bellare, Mihir; Rogaway, Phillip (21 September 2005). "Introduction". Introduction to Modern Cryptography. p.10. AJ Menezes, PC van Oorschot, and SA Vanstone, Handbook of Applied Cryptography (http:/ / web. archive. org/ web/ 20050307081354/ www. cacr. math. uwaterloo. ca/ hac/ ) ISBN 0-8493-8523-7. [5] "UK Data Encryption Disclosure Law Takes Effect" (http:/ / www. pcworld. com/ article/ 137881/ uk_data_encryption_disclosure_law_takes_effect. html). Pcworld.com. 2007-10-01. . Retrieved 2012-01-28. [6] Leyden, John (2011-07-13). "US court test for rights not to hand over crypto keys" (http:/ / www. theregister. co. uk/ 2011/ 07/ 13/ eff_piles_in_against_forced_decryption/ ). Theregister.co.uk. . Retrieved 2012-01-28. [7] David Kahn, The Codebreakers, 1967, ISBN 0-684-83130-9. [8] Oded Goldreich, Foundations of Cryptography, Volume 1: Basic Tools, Cambridge University Press, 2001, ISBN 0-521-79172-3 [9] "Cryptology (definition)" (http:/ / www. merriam-webster. com/ dictionary/ cryptology). Merriam-Webster's Collegiate Dictionary (11th ed.). Merriam-Webster. . Retrieved 2008-02-01. [10] Kama Sutra, Sir Richard F. Burton, translator, Part I, Chapter III, 44th and 45th arts. [11] V. V. IAshchenko (2002). " Cryptography: an introduction (http:/ / books. google. com/ books?id=cH-NGrpcIMcC& pg=PA6& dq& hl=en#v=onepage& q=& f=false)". AMS Bookstore. p.6. ISBN 0-8218-2986-6 [12] Cohen, Fred (1995). "A Short History of Cryptography" (http:/ / all. net/ books/ ip/ Chap2-1. html). All.net. . Retrieved 2011-07-18. [13] Simon Singh, The Code Book, pp. 14-20 [14] Ibrahim A. Al-Kadi (April 1992), "The origins of cryptology: The Arab contributions, Cryptologia 16 (2): 97126 [15] Schrdel, Tobias (October 2008). "Breaking Short Vigenre Ciphers". Cryptologia 32 (4): 334337. doi:10.1080/01611190802336097. [16] Hakim, Joy (1995). A History of Us: War, Peace and all that Jazz. New York: Oxford University Press. ISBN0-19-509514-6. [17] James Gannon, Stealing Secrets, Telling Lies: How Spies and Codebreakers Helped Shape the Twentieth Century, Washington, D.C., Brassey's, 2001, ISBN 1-57488-367-4. [18] Whitfield Diffie and Martin Hellman, "New Directions in Cryptography", IEEE Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644654. ( pdf (http:/ / citeseer. ist. psu. edu/ rd/ 86197922,340126,1,0. 25,Download/ http:/ / citeseer. ist. psu. edu/ cache/ papers/ cs/ 16749/ http:zSzzSzwww. cs. rutgers. eduzSz~tdnguyenzSzclasseszSzcs671zSzpresentationszSzArvind-NEWDIRS. pdf/ diffie76new. pdf)) [19] Blaze, Matt; Diffie, Whitefield; Rivest, Ronald L.; Schneier, Bruce; Shimomura, Tsutomu; Thompson, Eric; Wiener, Michael (January 19996). "Minimal key lengths for symmetric ciphers to provide adequate commercial security" (http:/ / www. fortify. net/ related/ cryptographers. html). Fortify. . Retrieved 14 October 2011. [20] FIPS PUB 197: The official Advanced Encryption Standard (http:/ / www. csrc. nist. gov/ publications/ fips/ fips197/ fips-197. pdf).

Cryptography[21] NCUA letter to credit unions (http:/ / www. ncua. gov/ letters/ 2004/ 04-CU-09. pdf), July 2004 [22] RFC 2440 - Open PGP Message Format [23] SSH at windowsecurity.com (http:/ / www. windowsecurity. com/ articles/ SSH. html) by Pawel Golen, July 2004 [24] Bruce Schneier, Applied Cryptography, 2nd edition, Wiley, 1996, ISBN 0-471-11709-9. [25] http:/ / csrc. nist. gov/ groups/ ST/ hash/ documents/ FR_Notice_Nov07. pdf [26] Whitfield Diffie and Martin Hellman, "Multi-user cryptographic techniques" [Diffie and Hellman, AFIPS Proceedings 45, pp109112, June 8, 1976]. [27] Ralph Merkle was working on similar ideas at the time and encountered publication delays, and Hellman has suggested that the term used should be DiffieHellmanMerkle aysmmetric key cryptography. [28] David Kahn, "Cryptology Goes Public", 58 Foreign Affairs 141, 151 (fall 1979), p. 153. [29] R. Rivest, A. Shamir, L. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems (http:/ / theory. lcs. mit. edu/ ~rivest/ rsapaper. pdf). Communications of the ACM, Vol. 21 (2), pp.120126. 1978. Previously released as an MIT "Technical Memo" in April 1977, and published in Martin Gardner's Scientific American Mathematical recreations column [30] "British Document Outlines Early Encryption Discovery" (http:/ / www. nytimes. com/ library/ cyber/ week/ 122497encrypt. html#1). New York Times. . Retrieved 2012-03-27. [31] Clifford Cocks. A Note on 'Non-Secret Encryption', CESG Research Report, 20 November 1973 (http:/ / www. fi. muni. cz/ usr/ matyas/ lecture/ paper2. pdf). [32] Singh, Simon (1999). The Code Book. Doubleday. pp.279292. [33] "Shannon": Claude Shannon and Warren Weaver, The Mathematical Theory of Communication, University of Illinois Press, 1963, ISBN 0-252-72548-4 [34] Pascal Junod, "On the Complexity of Matsui's Attack" (http:/ / citeseer. ist. psu. edu/ cache/ papers/ cs/ 22094/ http:zSzzSzeprint. iacr. orgzSz2001zSz056. pdf/ junod01complexity. pdf), SAC 2001. [35] Dawn Song, David Wagner, and Xuqing Tian, "Timing Analysis of Keystrokes and Timing Attacks on SSH" (http:/ / citeseer. ist. psu. edu/ cache/ papers/ cs/ 22094/ http:zSzzSzeprint. iacr. orgzSz2001zSz056. pdf/ junod01complexity. pdf), In Tenth USENIX Security Symposium, 2001. [36] S. Brands, "Untraceable Off-line Cash in Wallets with Observers" (http:/ / ftp. se. kde. org/ pub/ security/ docs/ ecash/ crypto93. ps. gz), In Advances in CryptologyProceedings of CRYPTO, Springer-Verlag, 1994. [37] Lszl Babai. "Trading group theory for randomness" (http:/ / portal. acm. org/ citation. cfm?id=22192). Proceedings of the Seventeenth Annual Symposium on the Theory of Computing, ACM, 1985. [38] S. Goldwasser, S. Micali, and C. Rackoff, "The Knowledge Complexity of Interactive Proof Systems", SIAM J. Computing, vol. 18, num. 1, pp. 186208, 1989. [39] G. Blakley. "Safeguarding cryptographic keys." In Proceedings of AFIPS 1979, volume 48, pp. 313317, June 1979. [40] A. Shamir. "How to share a secret." In Communications of the ACM, volume 22, pp. 612613, ACM, 1979. [41] "RSA Laboratories' Frequently Asked Questions About Today's Cryptography" (http:/ / www. rsasecurity. com/ rsalabs/ node. asp?id=2152). Rsasecurity.com. . Retrieved 2011-07-18. [42] Cryptography & Speech (http:/ / web. archive. org/ web/ 20051201184530/ http:/ / www. cyberlaw. com/ cylw1095. html) from Cyberlaw [43] "Case Closed on Zimmermann PGP Investigation" (http:/ / www. ieee-security. org/ Cipher/ Newsbriefs/ 1996/ 960214. zimmerman. html), press note from the IEEE. [44] Levy, Steven (2001). Crypto: How the Code Rebels Beat the GovernmentSaving Privacy in the Digital Age. Penguin Books. p.56. ISBN0-14-024432-8. OCLC244148644 48066852 48846639. [45] Bernstein v USDOJ (http:/ / www. epic. org/ crypto/ export_controls/ bernstein_decision_9_cir. html), 9th Circuit court of appeals decision. [46] "The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies" (http:/ / www. wassenaar. org/ guidelines/ index. html). Wassenaar.org. . Retrieved 2011-07-18. [47] "The Data Encryption Standard (DES)" (http:/ / www. schneier. com/ crypto-gram-0006. html#DES) from Bruce Schneier's CryptoGram newsletter, June 15, 2000 [48] Coppersmith, D. (May 1994). "The Data Encryption Standard (DES) and its strength against attacks" (http:/ / domino. watson. ibm. com/ tchjr/ journalindex. nsf/ 0/ 94f78816c77fc77885256bfa0067fb98?OpenDocument) (PDF). IBM Journal of Research and Development 38 (3): 243. doi:10.1147/rd.383.0243. . [49] E. Biham and A. Shamir, "Differential cryptanalysis of DES-like cryptosystems" (http:/ / www. springerlink. com/ index/ K54H077NP8714058. pdf), Journal of Cryptology, vol. 4 num. 1, pp. 372, Springer-Verlag, 1991. [50] Levy, pg. 56 [51] "The Digital Millennium Copyright Act of 1998" (http:/ / www. copyright. gov/ legislation/ dmca. pdf) (PDF). . Retrieved 2011-07-18. [52] http:/ / www. macfergus. com/ niels/ dmca/ cia. html [53] "Digg revolt over HD DVD codes" (http:/ / www. australianit. news. com. au/ story/ 0,24897,21659892-27317,00. html). news.com.au. 2 May 2007. . Retrieved 2007-05-20.

13

Cryptography

14

Further readingFurther information: Books on cryptography Becket, B (1988). Introduction to Cryptology. Blackwell Scientific Publications. ISBN0-632-01836-4. OCLC16832704. Excellent coverage of many classical ciphers and cryptography concepts and of the "modern" DES and RSA systems. Cryptography and Mathematics by Bernhard Esslinger, 200 pages, part of the free open-source package CrypTool, PDF download (https://www.cryptool.org/download/CrypToolScript-en.pdf). CyrpTool is the most widespread e-learning program about cryptography and cryptanalysis, open source. In Code: A Mathematical Journey by Sarah Flannery (with David Flannery). Popular account of Sarah's award-winning project on public-key cryptography, co-written with her father. James Gannon, Stealing Secrets, Telling Lies: How Spies and Codebreakers Helped Shape the Twentieth Century, Washington, D.C., Brassey's, 2001, ISBN 1-57488-367-4. Oded Goldreich, Foundations of Cryptography (http://www.wisdom.weizmann.ac.il/~oded/foc-book.html), in two volumes, Cambridge University Press, 2001 and 2004. Introduction to Modern Cryptography (http://www.cs.umd.edu/~jkatz/imc.html) by Jonathan Katz and Yehuda Lindell. Alvin's Secret Code by Clifford B. Hicks (children's novel that introduces some basic cryptography and cryptanalysis). Ibrahim A. Al-Kadi, "The Origins of Cryptology: the Arab Contributions," Cryptologia, vol. 16, no. 2 (April 1992), pp.97126. Handbook of Applied Cryptography (http://www.cacr.math.uwaterloo.ca/hac/) by A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone CRC Press, (PDF download available), somewhat more mathematical than Schneier's Applied Cryptography. Christof Paar (http://www.crypto.rub.de/en_paar.html), Jan Pelzl, Understanding Cryptography, A Textbook for Students and Practitioners. (http://www.cryptography-textbook.com/) Springer, 2009. (Slides, online cryptography lectures and other information are available on the companion web site.) Very accessible introduction to practical cryptography for non-mathematicians. Introduction to Modern Cryptography by Phillip Rogaway and Mihir Bellare, a mathematical introduction to theoretical cryptography including reduction-based security proofs. PDF download (http://www.cs.ucdavis. edu/~rogaway/classes/227/spring05/book/main.pdf). Johann-Christoph Woltag, 'Coded Communications (Encryption)' in Rdiger Wolfrum (ed) Max Planck Encyclopedia of Public International Law (Oxford University Press 2009). * "Max Planck Encyclopedia of Public International Law" (http://www.mpepil.com)., giving an overview of international law issues regarding cryptography. Jonathan Arbib & John Dwyer, Discrete Mathematics for Cryptography, 1st Edition ISBN 978-1-907934-01-8.

External links Cryptography (http://www.bbc.co.uk/programmes/p004y272) on In Our Time at the BBC. ( listen now (http:/ /www.bbc.co.uk/iplayer/console/p004y272/In_Our_Time_Cryptography)) DNA computing and cryptology: the future for Basel in Switzerland? (http://www.basel-research.eu.com/) Crypto Glossary and Dictionary of Technical Cryptography (http://ciphersbyritter.com/GLOSSARY.HTM) NSA's CryptoKids (http://www.nsa.gov/kids/). Overview and Applications of Cryptology (http://www.cryptool.org/images/ct1/presentations/ CrypToolPresentation-en.pdf) by the CrypTool Team; PDF; 3.8MBJuly 2008 A Course in Cryptography (http://www.cs.cornell.edu/courses/cs4830/2010fa/lecnotes.pdf) by Raphael Pass & Abhi Shelat. Complete course in cryptography offered at Cornell in the form of lecture notes.

Cryptanalysis

15

CryptanalysisCryptanalysis (from the Greek krypts, "hidden", and analein, "to loosen" or "to untie") is the art and science of analyzing information systems in order to study the hidden aspects of the systems.[1] Cryptanalysis is used to defeat cryptographic security systems and gain access to the contents of encrypted messages, even if the cryptographic key is unknown. In addition to mathematical analysis of cryptographic algorithms, cryptanalysis also includes the study of side-channel attacks that do not target weaknesses in the cryptographic algorithms themselves, but instead exploit weaknesses in their implementation.

Close-up of the rotors in a Fialka cipher machine

Even though the goal has been the same, the methods and techniques of cryptanalysis have changed drastically through the history of cryptography, adapting to increasing cryptographic complexity, ranging from the pen-and-paper methods of the past, through machines like Bombes and Colossus computers at Bletchley Park in World War II, to the mathematically advanced computerized schemes of the present. Methods for breaking modern cryptosystems often involve solving carefully constructed problems in pure mathematics, the best-known being integer factorization.

OverviewGiven some encrypted data ("ciphertext"), the goal of the cryptanalyst is to gain as much information as possible about the original, unencrypted data ("plaintext").

Amount of information available to the attackerAttacks can be classified based on what type of information the attacker has available. As a basic starting point it is normally assumed that, for the purposes of analysis, the general algorithm is known; this is Shannon's Maxim "the enemy knows the system" -- in its turn, equivalent to Kerckhoffs' principle. This is a reasonable assumption in practice throughout history, there are countless examples of secret algorithms falling into wider knowledge, variously through espionage, betrayal and reverse engineering. (And on occasion, ciphers have been reconstructed through pure deduction; for example, the German Lorenz cipher and the Japanese Purple code, and a variety of classical schemes).[2]: Ciphertext-only: the cryptanalyst has access only to a collection of ciphertexts or codetexts. Known-plaintext: the attacker has a set of ciphertexts to which he knows the corresponding plaintext. Chosen-plaintext (chosen-ciphertext): the attacker can obtain the ciphertexts (plaintexts) corresponding to an arbitrary set of plaintexts (ciphertexts) of his own choosing. Adaptive chosen-plaintext: like a chosen-plaintext attack, except the attacker can choose subsequent plaintexts based on information learned from previous encryptions. Similarly Adaptive chosen ciphertext attack. Related-key attack: Like a chosen-plaintext attack, except the attacker can obtain ciphertexts encrypted under two different keys. The keys are unknown, but the relationship between them is known; for example, two keys that differ in the one bit.

Cryptanalysis

16

Computational resources requiredAttacks can also be characterised by the resources they require. Those resources include: Time the number of computation steps (like encryptions) which must be performed. Memory the amount of storage required to perform the attack. Data the quantity of plaintexts and ciphertexts required. It's sometimes difficult to predict these quantities precisely, especially when the attack isn't practical to actually implement for testing. But academic cryptanalysts tend to provide at least the estimated order of magnitude of their attacks' difficulty, saying, for example, "SHA-1 collisions now 252."[3] Bruce Schneier notes that even computationally impractical attacks can be considered breaks: "Breaking a cipher simply means finding a weakness in the cipher that can be exploited with a complexity less than brute force. Never mind that brute-force might require 2128 encryptions; an attack requiring 2110 encryptions would be considered a break...simply put, a break can just be a certificational weakness: evidence that the cipher does not perform as advertised."[4]

Partial breaksThe results of cryptanalysis can also vary in usefulness. For example, cryptographer Lars Knudsen (1998) classified various types of attack on block ciphers according to the amount and quality of secret information that was discovered: Total break the attacker deduces the secret key. Global deduction the attacker discovers a functionally equivalent algorithm for encryption and decryption, but without learning the key. Instance (local) deduction the attacker discovers additional plaintexts (or ciphertexts) not previously known. Information deduction the attacker gains some Shannon information about plaintexts (or ciphertexts) not previously known. Distinguishing algorithm the attacker can distinguish the cipher from a random permutation. Academic attacks are often against weakened versions of a cryptosystem, such as a block cipher or hash function with some rounds removed. Many, but not all, attacks become exponentially more difficult to execute as rounds are added to a cryptosystem,[5] so it's possible for the full cryptosystem to be strong even though reduced-round variants are weak. Nonetheless, partial breaks that come close to breaking the original cryptosystem may mean that a full break will follow; the successful attacks on DES, MD5, and SHA-1 were all preceded by attacks on weakened versions. In academic cryptography, a weakness or a break in a scheme is usually defined quite conservatively: it might require impractical amounts of time, memory, or known plaintexts. It also might require the attacker be able to do things many real-world attackers can't: for example, the attacker may need to choose particular plaintexts to be encrypted or even to ask for plaintexts to be encrypted using several keys related to the secret key. Furthermore, it might only reveal a small amount of information, enough to prove the cryptosystem imperfect but too little to be useful to real-world attackers. Finally, an attack might only apply to a weakened version of cryptographic tools, like a reduced-round block cipher, as a step towards breaking of the full system.[4]

Cryptanalysis

17

History of cryptanalysisCryptanalysis has coevolved together with cryptography, and the contest can be traced through the history of cryptographynew ciphers being designed to replace old broken designs, and new cryptanalytic techniques invented to crack the improved schemes. In practice, they are viewed as two sides of the same coin: in order to create secure cryptography, you have to design against possible cryptanalysis. Successful cryptanalysis has undoubtedly influenced history; the ability to read the presumed-secret thoughts and plans of others can be a decisive advantage. For example, in England in 1587, Mary, Queen of Scots was tried and executed for treason for her involvement in three plots to assassinate Elizabeth I of England which were known about because her coded correspondence with fellow conspirators had been deciphered by Thomas Phelippes.

The decrypted Zimmermann Telegram.

In World War I, the breaking of the Zimmermann Telegram was instrumental in bringing the United States into the war. In World War II, the Allies benefitted enormously from their joint success cryptanalysis of the German ciphers including the Enigma machine and the Lorenz cipher and Japanese ciphers, particularly 'Purple' and JN-25. 'Ultra' intelligence has been credited with everything between shortening the end of the European war by up to two years, to determining the eventual result. The war in the Pacific was similarly helped by 'Magic' intelligence. [6] Governments have long recognized the potential benefits of cryptanalysis for intelligence, both military and diplomatic, and established dedicated organizations devoted to breaking the codes and ciphers of other nations, for example, GCHQ and the NSA, organizations which are still very active today. In 2004, it was reported that the United States had broken Iranian ciphers. (It is unknown, however, whether this was pure cryptanalysis, or whether other factors were involved:[7]).

Classical ciphersAlthough the actual word "cryptanalysis" is relatively recent (it was coined by William Friedman in 1920), methods for breaking codes and ciphers are much older. The first known recorded explanation of cryptanalysis was given by 9th-century Arabian polymath, Al-Kindi (also known as "Alkindus" in Europe), in A Manuscript on Deciphering Cryptographic Messages. This treatise includes a description of the method of frequency analysis (Ibrahim Al-Kadi, 1992- ref-3). Italian scholar Giambattista della Porta was author of a seminal work on cryptanalysis "De Furtivis Literarum Notis".[8] Frequency analysis is the basic tool for breaking most classical ciphers. In natural languages, certain letters of the alphabet appear more First page of Al-Kindi's 9th century Manuscript frequently than others; in English, "E" is likely to be the most common on Deciphering Cryptographic Messages letter in any sample of plaintext. Similarly, the digraph "TH" is the most likely pair of letters in English, and so on. Frequency analysis relies on a cipher failing to hide these statistics. For example, in a simple substitution cipher (where each letter is

Cryptanalysis simply replaced with another), the most frequent letter in the ciphertext would be a likely candidate for "E". Frequency analysis of such a cipher is therefore relatively easy, provided that the ciphertext is long enough to give a reasonably representative count of the letters of the alphabet that it contains.[9] In Europe during the 15th and 16th centuries, the idea of a polyalphabetic substitution cipher was developed, among others by the French diplomat Blaise de Vigenre (152396).[10] For some three centuries, the Vigenre cipher, which uses a repeating key to select different encryption alphabets in rotation, was considered to be completely secure (le chiffre indchiffrable"the indecipherable cipher"). Nevertheless, Charles Babbage (17911871) and later, independently, Friedrich Kasiski (180581) succeeded in breaking this cipher.[11] During World War I, inventors in several countries developed rotor cipher machines such as Arthur Scherbius' Enigma, in an attempt to minimise the repetition that had been exploited to break the Vigenre system.[12]

18

Ciphers from World War I and World War IICryptanalysis of enemy messages played a significant part in the Allied victory in World War II. F. W. Winterbotham, quoted the western Supreme Allied Commander, Dwight D. Eisenhower, at the war's end as describing Ultra intelligence as having been "decisive" to Allied victory.[13] Sir Harry Hinsley, official historian of British Intelligence in World War II, made a similar assessment about Ultra, saying that it shortened the war "by not less than two years and probably by four years"; moreover, he said that in the absence of Ultra, it is uncertain how the war would have ended.[14] In practice, frequency analysis relies as much on linguistic knowledge as it does on statistics, but as ciphers became more complex, mathematics became more important in cryptanalysis. This change was particularly evident before and during World War II, where efforts to crack Axis ciphers required new levels of mathematical sophistication. Moreover, automation was first applied to cryptanalysis in that era with the Polish Bomba device, the British Bombe, the use of punched card equipment, and in the Colossus computers the first electronic digital computers to be controlled by a program.[15][16] Indicator See also: Enigma machine: Indicator With reciprocal machine ciphers such as the Lorenz cipher and the Enigma machine used by Nazi Germany during World War II, each message had its own key. Usually, the transmitting operator informed the receiving operator of this message key by transmitting some plaintext or ciphertext before the enciphered message. This is termed the indicator, as it indicates to the receiving operator how to set his machine to decipher the message.[17] It was poorly designed and implemented indicator systems that allowed first the Poles[18] and then the British at Bletchley Park[19] to break the Enigma cipher system. Similar poor indicator systems allowed the British to identify depths that led to the diagnosis of the Lorenz SZ40/42 cipher system, and the comprehensive breaking of its messages without the cryptanalysts seeing the cipher machine.[20] Depth Sending two or more messages with the same key is an insecure process. To a cryptanalyst the messages are then said to be "in depth".[21] This may be detected by the messages having the same indicator by which the sending operator informs the receiving operator about the key generator initial settings for the message.[22] Generally, the cryptanalyst may benefit from lining up identical enciphering operations among a set of messages. For example the Vernam cipher enciphers by bit-for-bit combining plaintext with a long key using the "exclusive or" operator, which is also known as "modulo-2 addition" (symbolized by ): Plaintext Key = Ciphertext Deciphering combines the same key bits with the ciphertext to reconstruct the plaintext:

Cryptanalysis Ciphertext Key = Plaintext (In modulo-2 arithmetic, addition is the same as subtraction.) When two such ciphertexts are aligned in depth, combining them eliminates the common key, leaving just a combination of the two plaintexts: Ciphertext1 Ciphertext2 = Plaintext1 Plaintext2 The individual plaintexts can then be worked out linguistically by trying probable words (or phrases) at various locations; a correct guess, when combined with the merged plaintext stream, produces intelligible text from the other plaintext component: (Plaintext1 Plaintext2) Plaintext1 = Plaintext2 The recovered fragment of the second plaintext can often be extended in one or both directions, and the extra characters can be combined with the merged plaintext stream to extend the first plaintext. Working back and forth between the two plaintexts, using the intelligibility criterion to check guesses, the analyst may recover much or all of the original plaintexts. (With only two plaintexts in depth, the analyst may not know which one corresponds to which ciphertext, but in practice this is not a large problem.) When a recovered plaintext is then combined with its ciphertext, the key is revealed: Plaintext1 Ciphertext1 = Key Knowledge of a key of course allows the analyst to read other messages encrypted with the same key, and knowledge of a set of related keys may allow cryptanalysts to diagnose the system used for constructing them.[23]

19

The development of modern cryptographyEven though computation was used to great effect in cryptanalysis of the Enigma and other systems during World War II, it also made possible new methods of cryptography orders of magnitude more complex than ever before. Taken as a whole, modern cryptography has become much more impervious to cryptanalysis than the pen-and-paper systems of the past, and now seems to have the upper hand against pure cryptanalysis. The historian David Kahn notes:The Bombe replicated the action of several Enigma machines wired together. Each of the rapidly rotating drums, pictured above in a Bletchley Park museum mockup, simulated the action of an Enigma rotor.

"Many are the cryptosystems offered by the hundreds of commercial vendors today that cannot be broken by any known methods of cryptanalysis. Indeed, in such systems even a chosen plaintext attack, in which a selected plaintext is matched against its ciphertext, cannot yield the key that unlock[s] other messages. In a sense, then, cryptanalysis is dead. But that is not the end of the story. Cryptanalysis may be dead, but there is - to mix my metaphors - more than one way to skin a cat.".[24]

Kahn goes on to mention increased opportunities for interception, bugging, side channel attacks, and quantum computers as replacements for the traditional means of cryptanalysis. In 2010, former NSA technical director Brian Snow said that both academic and government cryptographers are "moving very slowly forward in a mature field."[25] However, any postmortems for cryptanalysis may be premature. While the effectiveness of cryptanalytic methods employed by intelligence agencies remains unknown, many serious attacks against both academic and practical cryptographic primitives have been published in the modern era of computer cryptography: The block cipher Madryga, proposed in 1984 but not widely used, was found to be susceptible to ciphertext-only attacks in 1998.

Cryptanalysis FEAL-4, proposed as a replacement for the DES standard encryption algorithm but not widely used, was demolished by a spate of attacks from the academic community, many of which are entirely practical. The A5/1, A5/2, CMEA, and DECT systems used in mobile and wireless phone technology can all be broken in hours, minutes or even in real-time using widely available computing equipment. Brute-force keyspace search has broken some real-world ciphers and applications, including single-DES (see EFF DES cracker), 40-bit "export-strength" cryptography, and the DVD Content Scrambling System. In 2001, Wired Equivalent Privacy (WEP), a protocol used to secure Wi-Fi wireless networks, was shown to be breakable in practice because of a weakness in the RC4 cipher and aspects of the WEP design that made related-key attacks practical. WEP was later replaced by Wi-Fi Protected Access. In 2008, researchers conducted a proof-of-concept break of SSL using weaknesses in the MD5 hash function and certificate issuer practices that made it possible to exploit collision attacks on hash functions. The certificate issuers involved changed their practices to prevent the attack from being repeated. Thus, while the best modern ciphers may be far more resistant to cryptanalysis than the Enigma, cryptanalysis and the broader field of information security remain quite active.

20

Cryptanalysis of symmetric ciphers Boomerang attack Brute force attack Davies' attack Differential cryptanalysis Impossible differential cryptanalysis Improbable differential cryptanalysis Integral cryptanalysis Linear cryptanalysis Meet-in-the-middle attack Mod-n cryptanalysis Related-key attack Sandwich attack Slide attack XSL attack

Cryptanalysis of asymmetric ciphersAsymmetric cryptography (or public key cryptography) is cryptography that relies on using two keys; one private, and one public. Such ciphers invariably rely on "hard" mathematical problems as the basis of their security, so an obvious point of attack is to develop methods for solving the problem. The security of two-key cryptography depends on mathematical questions in a way that single-key cryptography generally does not, and conversely links cryptanalysis to wider mathematical research in a new way. Asymmetric schemes are designed around the (conjectured) difficulty of solving various mathematical problems. If an improved algorithm can be found to solve the problem, then the system is weakened. For example, the security of the Diffie-Hellman key exchange scheme depends on the difficulty of calculating the discrete logarithm. In 1983, Don Coppersmith found a faster way to find discrete logarithms (in certain groups), and thereby requiring cryptographers to use larger groups (or different types of groups). RSA's security depends (in part) upon the difficulty of integer factorization a breakthrough in factoring would impact the security of RSA. In 1980, one could factor a difficult 50-digit number at an expense of 1012 elementary computer operations. By 1984 the state of the art in factoring algorithms had advanced to a point where a 75-digit number could be factored in 1012 operations. Advances in computing technology also meant that the operations could be performed much faster, too.

Cryptanalysis Moore's law predicts that computer speeds will continue to increase. Factoring techniques may continue to do so as well, but will most likely depend on mathematical insight and creativity, neither of which has ever been successfully predictable. 150-digit numbers of the kind once used in RSA have been factored. The effort was greater than above, but was not unreasonable on fast modern computers. By the start of the 21st century, 150-digit numbers were no longer considered a large enough key size for RSA. Numbers with several hundred digits were still considered too hard to factor in 2005, though methods will probably continue to improve over time, requiring key size to keep pace or other methods such as elliptic curve cryptography to be used. Another distinguishing feature of asymmetric schemes is that, unlike attacks on symmetric cryptosystems, any cryptanalysis has the opportunity to make use of knowledge gained from the public key.

21

Attacking cryptographic hash systems Birthday attack Rainbow table

Side-channel attacks Power analysis Timing analysis Man-in-the-middle attack Replay attack Black-bag cryptanalysis Rubber-hose cryptanalysis

Quantum computing applications for cryptanalysisQuantum computers, which are still in the early phases of research, have potential use in cryptanalysis. For example, Shor's Algorithm could factor large numbers in polynomial time, in effect breaking some commonly used forms of public-key encryption. By using Grover's algorithm on a quantum computer, brute-force key search can be made quadratically faster. However, this could be countered by doubling the key length.

ReferencesNotes[1] Cryptanalysis/Signals Analysis (http:/ / www. nsa. gov/ careers/ career_fields/ cryptsiganalysis. shtml) [2] Schmeh, Klaus (2003). Cryptography and public key infrastructure on the Internet (http:/ / books. google. com/ books?id=9NqidkUqHdgC& pg=PA45). John Wiley & Sons. p.45. ISBN978-0-470-84745-9. . [3] McDonald, Cameron; Hawkes, Philip; Pieprzyk, Josef, SHA-1 collisions now 252 (http:/ / eurocrypt2009rump. cr. yp. to/ 837a0a8086fa6ca714249409ddfae43d. pdf), , retrieved 4 April 2012 [4] Schneier 2000 [5] For an example of an attack that cannot be prevented by additional rounds, see slide attack. [6] Smith 2000, p.4 [7] "Breaking codes: An impossible task?" (http:/ / news. bbc. co. uk/ 1/ hi/ technology/ 3804895. stm). BBC News. June 21, 2004. . [8] Crypto History (http:/ / www. cryptool. org/ content/ view/ 28/ 54/ lang,english/ ) [9] Singh 1999, p.17 [10] Singh 1999, pp.4551 [11] Singh 1999, pp.6378 [12] Singh 1999, p.116 [13] Winterbotham 2000, p.229 [14] Hinsley 1993

Cryptanalysis[15] Copeland 2006, p.1 [16] Singh 1999, p.244 [17] Churchhouse 2002, pp.33, 34 [18] Budianski 2000, pp.97-99 [19] Calvocoressi 2001, p.66 [20] Tutte 1998 [21] Churchhouse 2002, p.34 [22] Churchhouse 2002, pp.33, 86 [23] Tutte 1998 [24] David Kahn Remarks on the 50th Anniversary of the National Security Agency (http:/ / www. fas. org/ irp/ eprint/ kahn. html), November 1, 2002. [25] Tim Greene, Network World, Former NSA tech chief: I don't trust the cloud (http:/ / www. networkworld. com/ news/ 2010/ 030410-rsa-cloud-security-warning. html). Retrieved March 14, 2010.

22

Bibliography Ibrahim A. Al-Kadi,"The origins of cryptology: The Arab contributions, Cryptologia, 16(2) (April 1992) pp.97126. Friedrich L. Bauer: "Decrypted Secrets". Springer 2002. ISBN 3-540-42674-4 Budiansky, Stephen (2000), Battle of wits: The Complete Story of Codebreaking in World War II, Free Press, ISBN978-0-684-85932-3 Calvocoressi, Peter (2001) [1980], Top Secret Ultra, Cleobury Mortimer, Shropshire: M & M Baldwin, ISBN0-947712-41-0 Churchhouse, Robert (2002), Codes and Ciphers: Julius Caesar, the Enigma and the Internet, Cambridge: Cambridge University Press, ISBN978-0-521-00890-7 Copeland, B. Jack, ed. (2006), Colossus: The Secrets of Bletchley Park's Codebreaking Computers, Oxford: Oxford University Press, ISBN978-0-19-284055-4 Helen Fouch Gaines, "Cryptanalysis", 1939, Dover. ISBN 0-486-20097-3 David Kahn, "The Codebreakers - The Story of Secret Writing", 1967. ISBN 0-684-83130-9 Lars R. Knudsen: Contemporary Block Ciphers. Lectures on Data Security 1998: 105-126 Schneier, Bruce (January 2000). "A Self-Study Course in Block-Cipher Cryptanalysis" (https://www.schneier. com/paper-self-study.html). Cryptologia 24 (1): 1834. doi:10.1080/0161-110091888754 Abraham Sinkov, Elementary Cryptanalysis: A Mathematical Approach, Mathematical Association of America, 1966. ISBN 0-88385-622-0 Christopher Swenson, Modern Cryptanalysis: Techniques for Advanced Code Breaking, ISBN 978-0-470-13593-8 Friedman, William F., Military Cryptanalysis, Part I, ISBN 0-89412-044-1 Friedman, William F., Military Cryptanalysis, Part II, ISBN 0-89412-064-6 Friedman, William F., Military Cryptanalysis, Part III, Simpler Varieties of Aperiodic Substitution Systems, ISBN 0-89412-196-0 Friedman, William F., Military Cryptanalysis, Part IV, Transposition and Fractionating Systems, ISBN 0-89412-198-7 Friedman, William F. and Lambros D. Callimahos, Military Cryptanalytics, Part I, Volume 1, ISBN 0-89412-073-5 Friedman, William F. and Lambros D. Callimahos, Military Cryptanalytics, Part I, Volume 2, ISBN 0-89412-074-3 Friedman, William F. and Lambros D. Callimahos, Military Cryptanalytics, Part II, Volume 1, ISBN 0-89412-075-1 Friedman, William F. and Lambros D. Callimahos, Military Cryptanalytics, Part II, Volume 2, ISBN 0-89412-076-X

Cryptanalysis Hinsley, F.H. (1993), "Introduction: The influence of Ultra in the Second World War" in Hinsley & Stripp 1993, pp.1-13 Singh, Simon (1999). The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography. London: Fourth Estate. pp.143189. ISBN1-85702-879-1. Smith, Michael (2000), The Emperor's Codes: Bletchley Park and the breaking of Japan's secret ciphers, London: Random House, ISBN0-593-04641-2 Tutte, W. T. (19 June 1998), Fish and I (http://frode.home.cern.ch/frode/crypto/tutte.pdf), retrieved 7 October 2010 Transcript of a lecture given by Prof. Tutte at the University of Waterloo Winterbotham, F.W. (2000) [1974], The Ultra secret: the inside story of Operation Ultra, Bletchley Park and Enigma, London: Orion Books Ltd, ISBN978-0-7528-3751-2, OCLC222735270

23

Further reading Bard, Gregory V. (2009). Algebraic Cryptanalysis (http://books.google.com/books?id=PYs4Vjdo0z0C). Springer. ISBN978-1-4419-1019-6. Hinek, M. Jason (2009). Cryptanalysis of RSA and Its Variants (http://books.google.com/ books?id=LS8m8nyu55QC). CRC Press. ISBN978-1-4200-7518-2. Joux, Antoine (2009). Algorithmic Cryptanalysis (http://books.google.com/books?id=buQajqt-_iUC). CRC Press. ISBN978-1-4200-7002-6. Junod, Pascal & Canteaut, Anne (2011). Advanced Linear Cryptanalysis of Block and Stream Ciphers (http:// books.google.com/books?id=pMnRhjStTZoC). IOS Press. ISBN978-1-60750-844-1. Stamp, Mark & Low, Richard (2007). Applied Cryptanalysis: Breaking Ciphers in the Real World (http://books. google.com/books?id=buVGyPNbwJUC). John Wiley & Sons. ISBN978-0-470-11486-5. Swenson, Christopher (2008). Modern cryptanalysis: techniques for advanced code breaking (http://books. google.com/books?id=oLoaWgdmFJ8C). John Wiley & Sons. ISBN978-0-470-13593-8. Wagstaff, Samuel S. (2003). Cryptanalysis of number-theoretic ciphers (http://books.google.com/ books?id=jQxRYd65LxIC). CRC Press. ISBN978-1-58488-153-7.

External links Basic Cryptanalysis (http://www.umich.edu/~umich/fm-34-40-2/) (files contain 5 line header, that has to be removed first) Distributed Computing Projects (http://distributedcomputing.info/ap-crypto.html#m4) Simon Singh's crypto corner (http://simonsingh.net/cryptography/) The National Museum of Computing (http://www.tnmoc.org/home.aspx) UltraAnvil tool for attacking simple substitution ciphers (http://home.no.net/fenja256/ultraanvil/)

History of cryptography

24

History of cryptographyThe history of cryptography began thousands of years ago. Until recent decades, it has been the story of what might be called classic cryptography that is, of methods of encryption that use pen and paper, or perhaps simple mechanical aids. In the early 20th century, the invention of complex mechanical and electromechanical machines, such as the Enigma rotor machine, provided more sophisticated and efficient means of encryption; and the subsequent introduction of electronics and computing has allowed elaborate schemes of still greater complexity, most of which are entirely unsuited to pen and paper. The development of cryptography has been paralleled by the development of cryptanalysis the "breaking" of codes and ciphers. The discovery and application, early on, of frequency analysis to the reading of encrypted communications has, on occasion, altered the course of history. Thus the Zimmermann Telegram triggered the United States' entry into World War I; and Allied reading of Nazi Germany's ciphers shortened World War II, in some evaluations by as much as two years. Until the 1970s, secure cryptography was largely the preserve of governments. Two events have since brought it squarely into the public domain: the creation of a public encryption standard (DES), and the invention of public-key cryptography.

Classical cryptographyThe earliest known use of cryptography is found in non-standard hieroglyphs carved into monuments from the Old Kingdom of Egypt circa 1900 BC.[1] These are not thought to be serious attempts at secret communications, however, but rather to have been attempts at mystery, intrigue, or even amusement for literate onlookers.[1] These are examples of still other uses of cryptography, or of something that looks (impressively if misleadingly) like it. Some clay tablets from Mesopotamia somewhat later are clearly meant to protect informationone dated near 1500 BCE was found to encrypt a craftsman's recipe for pottery glaze, presumably commercially valuable.[2][3] Later still, Hebrew scholars made use of simple monoalphabetic substitution ciphers (such as the Atbash cipher) beginning perhaps around 500 to 600 BCE.[4][5] The ancient Greeks are said to have known of ciphers. The scytale transposition cipher was used by the Spartan military,[5] however it is disputed whether the scytale was for encryption, authentication, or avoiding bad omens in speech.[6][7] Herodotus tells us of secret messages physically concealed beneath wax on wooden tablets or as a tattoo on a slave's head concealed by regrown hair, though these are not properly examples of cryptography per se as the message, once known, is directly readable; this is known as steganography. Another Greek method was developed by Polybius (now called the "Polybius Square").[5] The Romans knew something of cryptography (e.g., the Caesar cipher and its variations).

A Scytale, an early device for encryption.

History of cryptography

25

Medieval cryptographyIt was probably religiously motivated textual analysis of the Qur'an which led to the invention of the frequency analysis technique for breaking monoalphabetic substitution ciphers, possibly by Al-Kindi, an Arab mathematician, sometime around AD 800 (Ibrahim Al-Kadi 1992). It was the most fundamental cryptanalytic advance until WWII. Al-Kindi wrote a book on cryptography entitled Risalah fi Istikhraj al-Mu'amma (Manuscript for the Deciphering Cryptographic Messages), in which he described the first cryptanalysis techniques, including some for polyalphabetic ciphers, cipher classification, Arabic phonetics and syntax, and, most importantly, gave the first descriptions on frequency analysis.[8] He also covered methods of encipherments, cryptanalysis of certain encipherments, and statistical analysis of letters and letter combinations in Arabic.[9][10]

Ahmad al-Qalqashandi (13551418) wrote the Subh al-a 'sha, a 14-volume encyclopedia which included a section on cryptology. This information was attributed to Ibn al-Durayhim who lived from 1312 to 1361, but whose writings on cryptography have been lost. The list of ciphers in this work included both substitution and transposition, and for the first time, a cipher with multiple substitutions for each plaintext letter. Also traced to Ibn al-Durayhim is an exposition on and worked example of cryptanalysis, including the use of tables of letter frequencies and sets of letters which can not occur together in one word. Essentially all ciphers remained vulnerable to the cryptanalytic technique of frequency analysis until the development of